March 9, 2021

The Havoc of MS Exchange Servers: Is it only Hafnium or somebody else as well?

As per the recent attacks on Microsoft Exchange Server by the Chinese threat group named Hafnium, at least 60,000 companies have been affected all over the world. The attack has affected on-premises versions of Microsoft Exchange Server and targeted a varied set of organizations such as small business, government bodies, critical infrastructures, and enterprises. The Hafnium group installed a web shell exploiting remote code execution vulnerabilities on the target exchange servers, thereby gaining access to sensitive information including but not limited to email addresses, user profiles, email contents, attachments, etc. Whenever are zero-day vulnerability is discovered, multiple hacker groups come out to milk the benefits of it and therefore the question arises whether it is only the Hafnium group who exploiting these vulnerabilities.

The answer to this question is NO. While most investigations have traced the attack campaigns to Hafnium, Hive Pro Threat Research Team observed the TTPs of an Iranian State Sponsored Threat Group OilRig aka GreenBug and APT34 on critical infrastructure customers in the Middle East region targeting MS Exchange Servers. Most of the evidence obtained in the investigation were in line with the activities performed by OilRig in the past; however, the signatures and IOCs identified were of the MS Exchange Server Zero Day Vulnerabilities.

This attack campaign has been included in the list of the most sophisticated attacks in history and therefore, let us walk through the series of events from the first whistle blown by Volexity to what is happening today.

The timeline of the attack campaign

January 2021

February 2021

2nd March 2021

3rd March 2021

5th March 2021

6th March 2021

7th March 2021

Author: Rashmi Singh

Related Events

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo